Security

Cybersecurity

All APIs must be developed, tested and deployed in compliance with all Trimble cybersecurity policies. Information regarding cybersecurity at Trimble can be found on Trimble’s Cybersecurity Charlie page.

OWASP

The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. The OWASP API Security - Top 10 focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs.

Although not described here in detail, Spectral OWASP rulesets will be run against APIs submitted to the Cloud Console with any failures noted and recorded. This ruleset covers some, but not all, of the top 10.

To ensure secure software and systems and to address some of the major sections of OWASP:

• APIs MUST implement object-level authorization to make sure the API caller has the necessary permission to interact with the objects requested.
• APIs MUST use Trimble Identity for authentication. APIs should be aware that API callers could be a user, a device or an application. APIs MUST validate the JWT.
• APIs SHOULD implement rate limiting. APIs can leverage the traffic management policies, throttling or spike arrest within API Cloud to implement rate limiting.
• APIs MUST NOT use different authentication/authorization concepts to implement a “administrator” or a “superuser” concept.
• APIs MUST sanitize input, validate request parameters and reject the request immediately if validation fails before passing it to the application logic. Always use safe defaults to enforce the principle of least privilege for optional API inputs.
• APIs MUST be published and exposed through API Cloud (moving to Cloud Console) to maintain a clear inventory of the APIs.